CVE-2025-52691

Name of the Vulnerable Software and Affected Versions SmarterMail versions prior to Build 9413 SmarterMail version 9406 SmarterMail versions prior to Build 9406 SmarterMail versions prior to October 9, 2025

Description A critical vulnerability exists in SmarterMail that allows unauthenticated attackers to upload arbitrary files to any location on the mail server. Successful exploitation could lead to remote code execution (RCE), potentially enabling full server compromise, data theft, ransomware deployment, and lateral movement within a network. The vulnerability, tracked as CVE-2025-52691, has a CVSS score of 10.0, indicating maximum severity. A public proof-of-concept (PoC) exploit has been released, increasing the risk of exploitation. The

/api/upload

endpoint is vulnerable, with the

guid

parameter within

contextData

susceptible to a path traversal attack. Approximately 101,000 instances of SmarterMail are exposed. The Singapore Cyber Security Agency (CSA) has issued an alert regarding this vulnerability.

Recommendations Upgrade SmarterMail to Build 9413 or later immediately. Upgrade SmarterMail to Build 9483. For versions prior to Build 9413, upgrade to the latest available version. For versions prior to October 9, 2025, upgrade to Build 9413 or later.